On Fri, Jul 8, 2016 at 9:02 AM, Andrew Savchenko <birc...@gentoo.org> wrote:
> On Wed, 6 Jul 2016 23:13:55 +0300 Andrew Savchenko wrote: > > On Wed, 06 Jul 2016 20:23:46 +0900 Aaron Bauman wrote: > > > What kind of policing would you like to see councilman? Would you > like to > > > see me removed from the project, because your precious package was > > > p.masked? You have ignored every thing I have said regarding your > > > inability to work with the security team. Even after an apology from > me > > > and a request to work with us you continue on with the rhetoric of > powers. > > > It displays a lot about your inability to work with others. > > > > > > No other developer is complaining... it is *literally* only you. > > > > It is really not just him. I do not agree with media-video/motion > > pmask with 30-days removal term. But I had not pushed this issue > > hard, since I'm not a maintainer of this package. > > > > If this package would have been masked without removal term, I can > > at least accept if not agree with such action. But there is no > > other alternative for this package and security bugs are not > > critical (at least they do not affect many use cases at all). So > > removal from the tree will harm our users sufficiently. > > > > When approach is "mask until issues are resolved, so that users are > > informed about security hazard" — it sounds reasonable, and we > > already have several packages in the tree this way. But when > > approach is to purge package from the tree in 30 days regardless of > > severity of security flaws and ignoring the fact that there is > > nothing to replace this package with — this is not a kind of the > > policy I'd like to see in Gentoo. > > > > Please understand me correctly: I'm not blaming you or security > > team for this or that issue. But it looks like security team indeed > > needs to review some policies and approaches to suit needs of > > Gentoo users better in both of terms of security and usability, to > > find some reasonable compromise between them, which will satisfy > > most users. For these very issues it looks like canceling "removal > > in 30 days" clause from p.mask action will do the job. > > One more package to the list: app-cdr/xcdroast. It was being tree > cleaned[1] due to a minor security flaw (o+r on suid binary) on > optional functionality disabled by default (so users have to enable > that suid binary themselves each time after package update). > > The treecleaning policies are pretty clear: https://wiki.gentoo.org/wiki/Project:Treecleaner/Policy Packages should probably not live in the tree for years with open security issues. If nothing else, someone (e.g. a maintainer) should decide that the issue is minor and fix it. No one had done so for Xcdroast, and so it was slated for removal. For instance, they could remove suid entirely (force people to use sudo to burn or similar setups.) And despite multiple calls from users (see user comments on [1] > and read whole thread [2]) saying they need this package, they were > asked by security team to "stop spamming this bug"[3]. Such actions > in my opinion make more harm then good by deteriorating user > experience and number of choices available, while bringing only > small and not always meaningful security improve. Yeah that is not great, but in the end we would prefer someone step up and maintain the package. Its not clear that the status quo was a great situation (regardless of what the users thought.) > > So it looks like that both security and treecleaners teams need to > review their policies or at least discuss these problems publicly > in more detail. Looks like one such discussion is emerging in > thread [4]. > Xcdroast hasn't had a new release in 8 years, and is unmaintained. So if no one in Gentoo is going to maintain it, I do question why we keep it around; someone should be keeping an on eye it (minimally media-optical, which seems dead?) -A > > [1] https://bugs.gentoo.org/show_bug.cgi?id=345337 > [2] > https://archives.gentoo.org/gentoo-user/message/6ef4447b7ffa34910ed203f4fff73cfc > [3] https://bugs.gentoo.org/show_bug.cgi?id=345337#c18 > [4] > https://archives.gentoo.org/gentoo-dev/message/b39c9b7365f0482ed1d5236d9ae2f6f4 > > Best regards, > Andrew Savchenko >
